Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Shellshock - pfSense not vulnerable?

    General pfSense Questions
    3
    3
    3.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LinuxTracker
      last edited by

      (Edited because my OP was uninformed)

      My understanding is that FreeBSD  never included Bash shell by default and therefore isn't susceptible to the ShellShock bug.
      ref: https://news.ycombinator.com/item?id=8365110

      If you can confirm, deny or add anything - please do.

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        FreeBSD != Linux, friends.

        Edited version of internal email from jimp follows.

        The base system doesn't include bash, so unless it's being pulled in another way we can't see, pfsense is not affected.

        Unless you've loaded one of three packages, there is no bash binary on the system.
        The affected packages are:

        Anyterm: Contains bash in its binaries which are in the git repo(!), not a .pbi or .tgz. We're removing the package entirely from the repo. No archive. It's not worth keeping.

        (Gonzopancho adds: Bye bye. I've been bitching internally about packages we didn't compile. Now everyone understands why.  We will not distribute packages we don't compile.)

        Freeswitch-dev: Runs pkg_add for bash. Unmaintained package. Could probably be safely removed.

        FreeRADIUS2: Adds bash via pkg_add using FreeBSD's 8.3-RELEASE package set if the user activates Mobile-One-Time-Password (varsettingsmotpenable). Commonly used package, though we are unsure if the maintainer is still around. Will be deactivated for 2.0.x but kept for 2.1+. For 2.1 we can either build/host an up-to-date tgz for it to pkg_add to minimize changes to the code in the package or build bash into the .pbi and adjust its paths/code to handle that better. We favor adding it to the PBI so that if it happens in the future we need only build a new PBI as usual.

        Overall, not a huge impact.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          There is some additional info in the main thread for this issue:
          https://forum.pfsense.org/index.php?topic=82163.0

          And also on the blog:
          https://blog.pfsense.org/?p=1457

          And in our security advisory:
          https://www.pfsense.org/security/advisories/pfSense-SA-14_18.packages.asc

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.